Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Worrying rousette warnings in log #892

Open
troglobit opened this issue Jan 15, 2025 · 3 comments
Open

Worrying rousette warnings in log #892

troglobit opened this issue Jan 15, 2025 · 3 comments
Assignees
@mattiaswal
Labels
enhancement New feature or request security Medium or higher security impact
Milestone
Infix v25.02

Comments

@troglobit
Copy link
Contributor

Suggest patching these two logs that might look a bit worrying to end users:

Jan 14 05:42:12 ix-00-00-00 rousette[3439]: [2025-01-14 05:42:12.277] [rousette] [info] NACM config validation: Anonymous user access disabled 
Jan 14 05:42:12 ix-00-00-00 rousette[3439]: [2025-01-14 05:42:12.278] [rousette] [warning] Telemetry disabled. No CzechLight YANG modules found.
@troglobit troglobit added enhancement New feature or request triage Pending investigation & classification (CCB) labels Jan 15, 2025
@mattiaswal mattiaswal self-assigned this Jan 20, 2025
@mattiaswal
Copy link
Contributor

Agree!

@mattiaswal mattiaswal removed their assignment Jan 20, 2025
@mattiaswal mattiaswal added the security Medium or higher security impact label Jan 21, 2025
@mattiaswal
Copy link
Contributor

I would say that the first "info" is more of a security issue that needs to be patched away in rousette (and upstreamed):
From the Readme of rousette, annonymous access is enabled when:

1. The first entry of `rule-list` list must be configured for `ANONYMOUS_USER_GROUP`.
2. All the rules except the last one in this rule-list entry must enable only "read" access operation.
3. The last rule in the first rule-set must be a wildcard rule that disables all operations over all modules.

The anonymous user access is disabled whenever these rules are not met.

@mattiaswal
Copy link
Contributor

For anonymous we should add a switch to rousette that prefered enable anonymous mode, and test if they accept it.

@troglobit troglobit added this to the Infix v25.02 milestone Jan 23, 2025
@troglobit troglobit removed the triage Pending investigation & classification (CCB) label Jan 23, 2025
@troglobit troglobit moved this to In progress in Infix & C:o Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mattiaswal mattiaswal

Labels
enhancement New feature or request security Medium or higher security impact
Projects
Infix & C:o
Status: In progress
Milestone
Infix v25.02
Development

No branches or pull requests
2 participants
@troglobit @mattiaswal